| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 3 Oct 2015 10:17:10 +0200 From: Ingo Molnar <mingo@...nel.org> To: Dave Hansen <dave@...1.net> Cc: x86@...nel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Andy Lutomirski <luto@...nel.org>, Borislav Petkov <bp@...en8.de>, Kees Cook <keescook@...gle.com>, Brian Gerst <brgerst@...il.com> Subject: Re: [PATCH 26/26] x86, pkeys: Documentation * Ingo Molnar <mingo@...nel.org> wrote: > > * Dave Hansen <dave@...1.net> wrote: > > > > Another question, related to enumeration as well: I'm wondering whether > > > there's any way for the kernel to allocate a bit or two for its own purposes - > > > such as protecting crypto keys? Or is the facility fundamentally intended for > > > user-space use only? > > > > No, that's not possible with the current setup. > > Ok, then another question, have you considered the following usecase: So, I'm wondering about the following additional usecase: Right now the native x86 PTE format allows two protection related bits for user-space pages: _PAGE_BIT_RW: if 0 the page is read-only, if 1 then it's read-write _PAGE_BIT_NX: if 0 the page is executable, if 1 then it's not executable As discussed previously, pkeys allows 'true execute only (--x)' mappings. Another possibility would be 'true write-only (-w-)' mappings. This too could in theory be introduced 'transparently', via 'pure PROT_WRITE' mappings (i.e. no PROT_READ|PROT_EXEC bits set). Assuming the amount of user-space with implicit 'PROT_WRITE implies PROT_READ' assumptions is not unmanageble for a distro willing to try this. Usage of this would be more limited than of pure PROT_EXEC mappings, but it's a nonzero set: - Write-only log buffers that are normally mmap()-ed from a file. - Write-only write() IO buffers that are only accessed via write(). (kernel-space accesses ignore pkey values.) glibc's buffered IO might possibly make use of this, for write-only fopen()ed files. - Language runtimes could improve their security by eliminating W+X mappings of JIT-ed code, instead they could use two alias mappings: one alias is a true-exec (--x) mapping, the other (separately mapped, separately randomized) mapping is a true write-only (--x) mapping for generated code. In addition to the security advantage, another advantage would be increased robustness: no accidental corruption of IO (or JIT) buffers via read-only codepaths. Another advantage would be that it would utilize pkeys without having to teach applications to use new system calls. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists